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(54) [Title of the invention] Method of detecting 
unauthorized use of electronic commerce transaction 
20 system and device therefor 
(57) [Abstract] 

[Problem] To provide a method of detecting 
unauthorized use of an electronic commerce transaction 
system and a device therefor, capable of detecting 
25 unauthorized use of a system by an unauthorized user 
and/or an unauthorized client, based on the results of 



monitoring the ordinary actions of regular users and/or 
regular clients. 

[Means for solution] There are provided: decision 
criterion supplying means 6 that supplies a plurality 
of data items incorporated in individual models and a 
general model accumulated by data accumulation means 2 
as a decision criterion for deciding whether or not the 
access in question is unauthorized access every time 
new access is executed; and unauthorized use decision 
means 7 that decides whether or not the access in 
question is based on unauthorized use, by comparing a 
plurality of data items incorporated in individual 
models and a general model provided by this decision 
criterion supplying means 6 with a plurality of new 
data items extracted by access data extraction means 1 
accompanying the access in question. 
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20 [Claims] 

[Claim 1] A method for detecting unauthorized use 
of an electronic commerce transaction system wherein, 
in detection in real time by constant monitoring for 
unauthorized use of electronic commerce transactions on 

25 each access, 

decision and detection are performed by referring 
to past action history trends and behavior in actions 
such as access or events by regular users and/or 
regular clients. 

30 [Claim 2] The method for detecting unauthorized use 



of an electronic commerce transaction system as claimed 
in claim 1, wherein said action history is divided into 
individual models and a general model. 

[Claim 3] The method for detecting unauthorized use 
5 of an electronic commerce transaction system as claimed 
in claim 1 or 2, wherein said individual models and 
general model are mutually given orders of reference 
priority . 

[Claim 4] The method for detecting unauthorized use 
10 of an electronic commerce transaction system as claimed 
in claim 2 or 3, wherein said individual models and 
general model make use of both data directly obtained 
from an individual record of events accompanying 
access; and 

15 data derived from a plurality of event records. 

[Claim 5] The method for detecting unauthorized use 
of an electronic commerce transaction system as claimed 
in claim 1, 2, 3 or 4, wherein, as said past action 
history, users and/or clients are given individual 

20 identifiers, and the function of these users and/or 
clients is controlled by means of data that is sent to 
said users and/or clients from this provider and/or 
server, such that, when a shift to a page subsequent to 
the initial screen takes place, this information is 

25 automatically transmitted to the provider and/or server 
and data sorted to each said individual identifier is 
accumulated in for example a file or memory in this 
provider or server . 

[Claim 6] The method for detecting unauthorized use 

30 of an electronic commerce transaction system as claimed 
in claim 2, 3, 4 or 5, wherein said individual models 
and general model include both data on which 
statistical processing is performed and data expressing 
state transitions. 

35 [Claim 7] The method for detecting unauthorized use 

of an electronic commerce transaction system as claimed 
in claim 6, wherein said state transitions include 
individual access action state transitions whereby 
unauthorized use is detected from access actions; and 



plural access state transitions whereby unauthorized 
use is detected by comparison of state transitions from 
the past to the present. 

[Claim 8] A method for detecting unauthorized use 
5 of an electronic commerce transaction system wherein, 
in detecting unauthorized use of electronic commerce 
transactions for detecting unauthorized use of an 
arbitrary client/server system whereby electronic 
commerce transactions are performed, 

10 every time a prescribed event is issued a plurality 

of times from a client after commencement of access 
from said client to the server, said server 
sequentially acquires, as a plurality of data items, 
information relating to said client and the user, and 

15 also information relating to the electronic commerce 
transaction conduct of this user, and incorporates and 
accumulates this plurality of respective data items in 
an individual model identified as a unit by the 
individual identifier given to said user; and 

20 thereafter, every time a new access is implemented, 

compares the plurality of data items obtained after 
commencement of this access with said individual model 
and decides whether or not this access is unauthorized 
use in accordance with the result of this comparison. 

25 [Claim 9] The method for detecting unauthorized use 

of an electronic commerce transaction system as claimed 
in claim 8, wherein, in accumulation of said plurality 
of data items, said plurality of respective data items 
are incorporated in a general model for obtaining 

30 average user data of all the users using this system, 
instead of in said individual model; and 

the decision as to whether or not said access is 
unauthorized use is made in accordance with the results 
of comparison of said plurality of data items and this 

35 general model. 

[Claim 10] The method for detecting unauthorized 
use of an electronic commerce transaction system as 
claimed in claim 8 or 9, wherein accumulation of said 
plurality of data items is performed in accordance with 



time sequence data whereby all of the data obtained at 
the time point where a single access has been 
terminated are arranged in order of their generation. 

[Claim 11] The method for detecting unauthorized 
5 use of an electronic commerce transaction system as 
claimed in claim 10, wherein, when obtaining said time 
sequence data, the events up to this prescribed last 
event at a time-point where a prescribed limiting time 
has elapsed after the time at which said prescribed 

10 events are presumed to have been finally issued are 
regarded as a series of prescribed events included in a 
single access. 

[Claim 12] The method for detecting unauthorized 
use of an electronic commerce transaction system as 

15 claimed in claim 8, 9, 10 or 11, wherein the decision 
as to whether or not said access is unauthorized use is 
made using a statistical technique. 

[Claim 13] The method for detecting unauthorized 
use of an electronic commerce transaction system as 

20 claimed in claim 8, 9, 10, 11 or 12, wherein the 
decision as to whether or not said access is 
unauthorized use is made by detecting irregularity of 
state transition of this system accompanying said 
prescribed event issued a plurality of times during a 

25 single access. 

[Claim 14] The method for detecting unauthorized 
use of an electronic commerce transaction system as 
claimed in claim 8, 9, 10, 11 or 12, wherein the 
decision as to whether or not said access is 

30 unauthorized use is made by detecting irregularity of 
specified data, of said plurality of data items 
presumed to be of the same user acquired in a plurality 
of accesses. 

[Claim 15] The method for detecting unauthorized 
35 use of an electronic commerce transaction system as 
claimed in claim 14, wherein said specified data is 
data comprising information relating to said electronic 
commerce transactions by said user. 

[Claim 16] The method for detecting unauthorized 



use of an electronic commerce transaction system as 
claimed in claim 8, 9, 10, 11, 12, 13, 14 or 15, 
wherein said prescribed event is a next-screen display 
request event for requesting display of the next 
5 screen. 

[Claim 17] A device for detecting unauthorized use 
of an electronic commerce transaction system equipped 
with: access data extraction means that extracts at 
least access data sent from a client to an arbitrary 

10 server in a client/server system whereby electronic 
commerce transactions are performed with commencement 
of access, and data accumulation means that accumulates 
said access data extracted by this access data 
extraction means; wherein 

15 said access data extraction means, in addition to 

extraction of said access data, is given the function 
of extracting a plurality of data items including 
information relating to said client and the user and 
information relating to the electronic commerce 

20 transaction conduct of this user, every time a 
prescribed event is issued a plurality of times from 
said client after commencement of said access; and 

said data accumulation means, in addition to 
accumulation of said access data, is given the function 

25 of incorporating and accumulating said plurality of 
respective data items extracted by said access data 
extraction means in an individual model identified as a 
unit by the individual identifier given to said user; 
and which comprises: 

30 decision criterion supplying means that supplies a 

plurality of data items incorporated in said individual 
model accumulated by this data accumulation means as a 
decision criterion for deciding whether or not this 
access is unauthorized use every time new access is 

35 executed; and 

unauthorized use decision means that decides 
whether or not this access is unauthorized use by 
comparing a plurality of data items incorporated in 
said individual model supplied by this decision 



criterion supplying means with the new plurality of 
data items extracted by said access data extraction 
means accompanying this access. 

[Claim 18] The device for detecting unauthorized 
5 use of an electronic commerce transaction system as 
claimed in claim 17, wherein it is given the series of 
respective organically linked functions and 

said data accumulation means incorporates said 
respective plurality of data in a general model for 

10 obtaining average data of all of the users using this 
system instead of in said individual model, 

said decision criterion supplying means supplies as 
the decision criterion for deciding whether or not this 
access is unauthorized use, a plurality of data items 

15 incorporated in said general model accumulated by this 
data accumulation means, every time new access is 
executed, and 

said unauthorized use decision means decides 
whether or not this access is unauthorized use by 

20 comparing a plurality of data items incorporated in 
said general model supplied by this decision criterion 
supplying means with the new plurality of data items 
extracted by said access data extraction means 
accompanying this access. 

25 [Claim 19] The device for detecting unauthorized 

use of an electronic commerce transaction system as 
claimed in claim 17 or 18, wherein 

said data accumulation means has a function of 
performing accumulation of said plurality of data items 

30 in accordance with time sequence data whereby all of 
the data items obtained at the time point where a 
single access has terminated are arranged in order of 
their generation. 

[Claim 20] The device for detecting unauthorized 

35 use of an electronic commerce transaction system as 
claimed in claim 18, wherein said data accumulation 
means, when obtaining said time sequence data, has a 
function of regarding the events up to this prescribed 
last event at a time-point where a prescribed limiting 
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time has elapsed after the time at which said 
prescribed events are presumed to have been finally 
issued as a series of prescribed events included in a 
single access. 

5 [Claim 21] The device for detecting unauthorized 

use of an electronic commerce transaction system as 
claimed in claim 17, 18, 19 or 20, wherein said 
unauthorized use decision means comprises calculation 
means that effects the decision as to whether or not 
10 said access is unauthorized use using a statistical 
technique . 

[Claim 22] The device for detecting unauthorized 
use of an electronic commerce transaction system as 
claimed in claim 17, 18, 19, 20 or 21, wherein said 

15 unauthorized use decision means comprises calculation 
means that effects the decision as to whether or not 
said access is unauthorized use by detecting 
irregularity of state transition of this system 
accompanying said prescribed event issued a plurality 

20 of times during a single access. 

[Claim 23] The device for detecting unauthorized 
use of an electronic commerce transaction system as 
claimed in claim 17, 18, 19, 20 or 21, wherein said 
unauthorized use decision means comprises calculation 

25 means that effects the decision as to whether or not 
said access is unauthorized use by detecting 
irregularity of specified data items of said plurality 
of data items presumed to be those of the same user 
acquired in a plurality of accesses. 

30 [Claim 24] The device for detecting unauthorized 

use of an electronic commerce transaction system as 
claimed in claim 23, wherein said specified data items 
are data comprising information relating to said 
electronic commerce transaction performed by said user. 

35 [Claim 25] The device for detecting unauthorized 

use of an electronic commerce transaction system as 
claimed in claim 17, 18, 19, 20, 21, 22, 23 or 24, 
wherein said prescribed event is a next-screen display 
request event for requesting display of the next 



- 9 - 

screen . 

[Detailed description of the invention] 
[0001] 

[Technical field to which the invention belongs] 
5 The present invention relates to a method and 

device for detecting unauthorized use of an electronic 
commerce transaction system. In more detail, it relates 
to a method for detecting unauthorized use of an 
electronic commerce transaction system for detecting 

10 unauthorized use of this electronic transaction system 
whereby a person who has not been granted permission to 
use an arbitrary client/server system (hereinbelow 
simply referred to as an "electronic commerce 
transaction system") for performing the sale of 

15 products etc by using electronic commerce transactions 
poses as a person who has properly been granted 
permission, and to a device for detecting unauthorized 
use of the electronic commerce transaction system that 
is directly employed to put this into practice. 

20 [0002] 

[Prior art] In recent years, virtual malls, i.e. 
electronic shopping arcades, have been constructed 
whereby the sale of products can be performed by for 
example displaying product catalogues on a WWW site on 

25 the Internet using for example the WWW (World Wide 
Web) . 

[0003] With a WWW site of this type, a user (user 
who is attempting to purchase a product) inputs the 
user ' s own credit card information from a client 

30 terminal or performs electronic commerce transactions 
by effecting settlement using electronic money, so, in 
the event of unauthorized use, the operator of the 
shopping arcade may suffer monetary damage. In order to 
prevent this, a server must detect unauthorized use 

35 during the short time from commencement of access of 
the electronic commerce transaction system by the user 
to settlement thereof and exclude the unauthorized 
user . 

[0004] What is meant by "unauthorized use" in this 
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context is that another person acquires by some method 
other than the regular procedure an individual 
identifier such as an ID (identification) or password 
that was acquired from the server administrator through 
5 the regular procedure by a given person, and proceeds 
to utilize the server functions by using this, or that 
the server functions are utilized by impersonating 
another person using a defect of the system. 
Hereinbelow, the expression "unauthorized user" means a 

10 person who performs such unauthorized use. 

[0005] Examples of methods of detection of 
unauthorized use adopted in typical conventional 
computer systems are as follows : 

(1) a technique in which, by analyzing the various 

15 logs that are kept in the computer system, for example 
execution of a command which is not allowed to the user 
is detected, and this is deemed to be unauthorized use. 

[0006] (2) a technique in which the system 
administrator, for example, investigates beforehand 

20 events that might be the subject of attack from a 
person trying to perform unauthorized use by examining 
for example defects of the software used to constitute 
the computer system, mis-settings, or inappropriate use 
thereof . 

25 [0007] (3) a technique of, by means of a system 

that is permanently resident in the computer system, or 
a system that performs monitoring of network packets, 
arranged on the network, monitoring the actions 
(history of event requests) of privileged users (this 

30 indicates users having system administration rights 
i.e. so-called superusers, distinguished from ordinary 
users) capable of damaging the computer system and 
comparing these with the pattern of action registered 
beforehand in the system, and thereby deciding whether 

35 such actions are those of an unauthorized user. 
[0008] 

[Problem that the invention is intended to solve] 
However, the techniques for detection of unauthorized 
use indicated above are merely techniques that are 
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already adopted in typical computer systems. In the 
case of technique (1), the required detection of 
unauthorized use can only be performed with the timing 
with which the logs are periodically inspected, so no 
5 benefit can be expected in the case of an electronic 
commerce transaction system, in which detection of 
unauthorized use in real time is demanded. 

[0009] In the case of technique (2), it is only 
possible to check for defects whose existence is 

10 recognized beforehand, so unauthorized use that is 
performed in a situation in which no defects or the 
like are present cannot be detected: thus, for the same 
reasons as described above, application of this 
technique to electronic commerce transaction systems is 

15 difficult. 

[0010] Also, in the case of technique (3), this 
only functions in conditions in which there are 
privileged user actions that can be the subject of 
monitoring and so basically cannot be employed to 

20 monitor for unauthorized users from among users having 
the same privileges. In particular, in the case of the 
electronic commerce transaction systems in question, no 
privileged user is present in the registered users and 
all the users have the same privileges so what they can 

25 do in the server is the same. 

[0011] As described above, none of these techniques 
can be applied to detection of unauthorized use of an 
electronic commerce transaction system. That is, from 
the above, for detection of unauthorized use of an 

30 electronic commerce transaction system, rather than 
monitoring the actions of privileged users, it appears 
more appropriate to perform this detection on the basis 
of the ordinary actions of regular users and for this 
purpose, the best strategy is of course the use of the 

35 logs recorded in the server as the electronic commerce 
transaction system is accessed. 

[0012] However, when considering the types of log 
that are recorded in a server as described above, a WWW 
server for example records in logs only extremely 
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restricted information, specifically, the filename in 
respect of which a request for display is made from a 
client, the machine name of the client that is the 
source of the request, or the time etc. 
5 [0013] Furthermore, a characteristic feature of a 

WWW server is that sessions comprising display requests 
from the same client can only be recorded in discrete 
fashion for each occasion. This means that display 
requests for a plurality of pages performed with same 

10 object by a user cannot be captured as a series of 
actions performed by the same user. 

[0014] Accordingly, the chief objects to be solved 
by the present invention are as follows. Specifically, 
a first object of the present invention is to provide a 

15 method and device for detection of unauthorized use of 
an electronic commerce transaction system capable of 
detecting unauthorized use of the system by an 
unauthorized user, based on the results of monitoring 
the ordinary actions of regular users. 

20 [0015] A second object of the present invention is 

to provide a method and device for detection of 
unauthorized use of an electronic commerce transaction 
system whereby it is possible to grasp a series of 
actions performed by the same user. 

25 [0016] A third object of the present invention is 

to provide a method and device for detection of 
unauthorized use of an electronic commerce transaction 
system capable of detecting unauthorized use of the 
system based on the style of actions of typical users. 

30 [0017] Other objects on the present invention will 

become clear from the description of the specification, 
drawings and in particular the claims . 
[0018] 

[Means for solving the problem] The present 
35 invention is characterized by the provision of a 
technique and means whereby, for solving the above 
problems, a plurality of data items of various types 
issued after commencement of access of the server by a 
client are acquired, the respective plurality of data 
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items, once these have been acquired, are compared with 
a plurality of data items obtained after this access 
every time new access is executed, and a decision is 
made as to whether or not this access is unauthorized 
5 use in accordance with the result of this comparison. 

[0019] To describe the invention in further detail, 
in the solution of these problems, the above objects 
are achieved according to the present invention by the 
adoption of novel characteristic constituent techniques 
10 and means, extending from the above general concept to 
subordinate concepts and listed by way of example as 
follows . 

[0020] Specifically, according to a first 
characteristic feature of the method according to the 

15 present invention, in detection in real time by 
constant monitoring for unauthorized use of electronic 
commerce transactions on each access, a method is 
adopted of detection of unauthorized use of the 
electronic commerce transaction system by decision and 

20 detection performed referring to past action history 
trends and behavior in actions such as access or events 
by regular users and/or regular clients. 

[0021] According to a second characteristic feature 
of the method according to the present invention, a 

25 method is adopted of detection of unauthorized use of 
the electronic commerce transaction system wherein said 
action history in the first characteristic feature of 
the method according to the present invention is 
divided into individual models and a general model. 

30 [0022] According to a third characteristic feature 

of the method according to the present invention, a 
method is adopted of detection of unauthorized use of 
the electronic commerce transaction system wherein said 
individual models and general model according to the 

35 first or second characteristic features of the method 
according to the present invention are mutually given 
orders of reference priority. 

[0023] According to a fourth characteristic feature 
of the method according to the present invention, a 
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method is adopted of detection of unauthorized use of 
the electronic commerce transaction system wherein said 
individual models and general model according to the 
second or third characteristic features of the method 
5 according to the present invention make use of both 
data directly obtained from an individual record of 
events accompanying access; and data derived from a 
plurality of event records. 

[0024] According to a fifth characteristic feature 

10 of the method according to the present invention, a 
method is adopted of detection of unauthorized use of 
the electronic commerce transaction system wherein, as 
said past action history according to the first, 
second, third or fourth characteristic features of the 

15 method according to the present invention, users and/or 
clients are given individual identifiers, and the 
function of these users and/or clients is controlled by 
means of data that is sent to said users and/or clients 
from this provider and/or server, such that, when a 

20 shift to a page subsequent to the initial screen takes 
place, this information is automatically transmitted to 
the provider and/or server and data sorted to each said 
individual identifier is accumulated in for example a 
file or memory in this provider or server. 

25 [0025] According to a sixth characteristic feature 

of the method according to the present invention, a 
method is adopted of detection of unauthorized use of 
the electronic commerce transaction system wherein said 
individual models and general model according to the 

30 first, second, third, fourth or fifth characteristic 
features of the method according to the present 
invention include both data on which statistical 
processing is performed and data expressing state 
transitions . 

35 [0026] According to a seventh characteristic 

feature of the method according to the present 
invention, a method is adopted of detection of 
unauthorized use of the electronic commerce transaction 
system wherein said state transitions according to the 
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sixth characteristic feature of the method according to 
the present invention include individual access action 
state transitions whereby unauthorized use is detected 
from access actions; and plural access state 
5 transitions whereby unauthorized use is detected by 
comparison of state transitions from the past to the 
present . 

[0027] According to an eighth characteristic 
feature of the method according to the present 

10 invention, a method is adopted of detection of 
unauthorized use of the electronic commerce transaction 
system wherein, in detecting unauthorized use of 
electronic commerce transactions for detecting 
unauthorized use of an arbitrary client/server system 

15 whereby electronic commerce transactions are performed, 
every time a prescribed event is issued a plurality of 
times from a client after commencement of access from 
the client to the server, the server sequentially 
acquires, as a plurality of data items, information 

20 relating to the client and the user, and also 
information relating to the electronic commerce 
transaction conduct of this user, and incorporates and 
accumulates this plurality of respective data items in 
an individual model identified as a unit by the 

25 individual identifier given to the user; and 
thereafter, every time a new access is implemented, 
compares the plurality of data items obtained after 
commencement of this access with the individual model 
and decides whether or not this access is unauthorized 

30 use in accordance with the result of this comparison. 

[0028] According to a ninth characteristic feature 
of the method according to the present invention, a 
method is adopted of detection of unauthorized use of 
the electronic commerce transaction system wherein, in 

35 accumulation of the plurality of data items according 
to the eighth characteristic feature of the method 
according to the present invention, the plurality of 
respective data items are incorporated in a general 
model for obtaining average user data of all the users 



using this system, instead of in the individual model; 
and the decision as to whether or not the access is 
unauthorized use is made in accordance with the results 
of comparison of the plurality of data items and this 
5 general model. 

[0029] According to a tenth characteristic feature 
of the method according to the present invention, a 
method is adopted of detection of unauthorized use of 
the electronic commerce transaction system wherein 

10 accumulation of the plurality of data items according 
to the eigth or ninth characteristic feature of the 
method according to the present invention is performed 
in accordance with time sequence data whereby all of 
the data obtained at the time point where a single 

15 access has been terminated are arranged in order of 
their generation. 

[0030] According to an eleventh characteristic 
feature of the method according to the present 
invention, a method is adopted of detection of 

20 unauthorized use of the electronic commerce transaction 
system wherein, when obtaining the time sequence data 
according to the tenth characteristic feature of the 
method according to the present invention, the events 
up to this prescribed last event at a time-point where 

25 a prescribed limiting time has elapsed after the time 
at which the prescribed events are presumed to have 
been finally issued are regarded as a series of 
prescribed events included in a single access. 

[0031] According to a twelfth characteristic 

30 feature of the method according to the present 
invention, a method is adopted of detection of 
unauthorized use of the electronic commerce transaction 
system wherein the decision as to whether or not the 
access according to the eighth, ninth, tenth or 

35 eleventh characteristic features of the method 
according to the present invention is unauthorized use 
is made using a statistical technique. 

[0032] According to a thirteenth characteristic 
feature of the method according to the present 
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invention, a method is adopted of detection of 
unauthorized use of the electronic commerce transaction 
system wherein the decision as to whether or not the 
access according to the eighth, ninth, tenth, eleventh 
5 or twelfth characteristic features of the method 
according to the present invention is unauthorized use 
is made by detecting irregularity of state transition 
of this system accompanying the prescribed event issued 
a plurality of times during a single access. 

10 [0033] According to a fourteenth characteristic 

feature of the method according to the present 
invention, a method is adopted of detection of 
unauthorized use of the electronic commerce transaction 
system wherein the decision as to whether or not the 

15 access according to the eighth, ninth, tenth, eleventh 
or twelfth characteristic features of the method 
according to the present invention is unauthorized use 
is made by detecting irregularity of specified data, of 
the plurality of data items presumed to be of the same 

20 user acquired in a plurality of accesses. 

[0034] According to a fifteenth characteristic 
feature of the method according to the present 
invention, a method is adopted of detection of 
unauthorized use of the electronic commerce transaction 

25 system wherein the specified data according to the 
fourteenth characteristic feature of the method 
according to the present invention is data comprising 
information relating to the electronic commerce 
transactions by the user. 

30 [0035] According to a sixteenth characteristic 

feature of the method according to the present 
invention, a method is adopted of detection of 
unauthorized use of the electronic commerce transaction 
system wherein the prescribed event according to the 

35 eighth, ninth, tenth, eleventh, twelfth, thirteenth, 
fourteenth or fifteenth characteristic features of the 
method according to the present invention is a next- 
screen display request event for requesting display of 
the next screen. 
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[0036] According to a first characteristic feature 
of the device according to the present invention, a 
device is adopted for detection of unauthorized use of 
an electronic commerce transaction system equipped 
5 with: access data extraction means that extracts at 
least access data sent from a client to an arbitrary 
server in a client/server system whereby electronic 
commerce transactions are performed with commencement 
of access, and data accumulation means that accumulates 

10 access data extracted by this access data extraction 
means; wherein the access data extraction means, in 
addition to extraction of the access data, is given the 
function of extracting a plurality of data items 
including information relating to the client and the 

15 user and information relating to the electronic 
commerce transaction conduct of this user, every time a 
prescribed event is issued a plurality of times from 
the client after commencement of access; and the data 
accumulation means, in addition to accumulation of 

20 access data, is given the function of incorporating and 
accumulating the plurality of respective data items 
extracted by the access data extraction means in an 
individual model identified as a unit by the individual 
identifier given to the user; and comprising: decision 

25 criterion supplying means that supplies a plurality of 
data items incorporated in the individual model 
accumulated by this data accumulation means as a 
decision criterion for deciding whether or not this 
access is unauthorized use every time new access is 

30 executed; and unauthorized use decision means that 
decides whether or not this access is unauthorized use 
by comparing a plurality of data items incorporated in 
the individual model supplied by this decision 
criterion supplying means with the new plurality of 

35 data items extracted by the access data extraction 
means accompanying this access. 

[0037] According to a second characteristic feature 
of the device according to the present invention, a 
device is adopted for detection of unauthorized use of 
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an electronic commerce transaction system that is given 
the series of respective organically linked functions 
wherein the data accumulation means in the first 
characteristic feature of the device according to the 
5 present invention incorporates the respective plurality 
of data in a general model for obtaining average data 
of all of the users using this system instead of in the 
individual model, the decision criterion supplying 
means supplies, as the decision criterion for deciding 

10 whether or not this access is unauthorized use, a 
plurality of data items incorporated in the general 
model accumulated by this data accumulation means, 
every time new access is executed, and the unauthorized 
use decision means decides whether or not this access 

15 is unauthorized use by comparing a plurality of data 
items incorporated in the general model supplied by 
this decision criterion supplying means with the new 
plurality of data items extracted by the access data 
extraction means accompanying this access. 

20 [0038] According to a third characteristic feature 

of the device according to the present invention, a 
device is adopted for detection of unauthorized use of 
an electronic commerce transaction system wherein the 
data accumulation means in the first or second 

25 characteristic feature of the device according to the 
present invention has a function of performing 
accumulation of the plurality of data items in 
accordance with time sequence data whereby all of the 
data items obtained at the time point where a single 

30 access has terminated are arranged in order of their 
generation . 

[0039] According to a fourth characteristic feature 
of the device according to the present invention, a 
device is adopted for detection of unauthorized use of 
35 an electronic commerce transaction system wherein the 
data accumulation means in the third characteristic 
feature of the device according to the present 
invention, when obtaining the time sequence data, has a 
function of regarding the events up to this prescribed 
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last event at a time-point where a prescribed limiting 
time has elapsed after the time at which the prescribed 
events are presumed to have been finally issued as a 
series of prescribed events included in a single 
5 access. 

[0040] According to a fifth characteristic feature 
of the device according to the present invention, a 
device is adopted for detection of unauthorized use of 
an electronic commerce transaction system wherein the 

10 unauthorized use decision means in the first, second, 
third or fourth characteristic feature of the device 
according to the present invention comprises 
calculation means that effects the decision as to 
whether or not the access is unauthorized use using a 

15 statistical technique. 

[0041] According to a sixth characteristic feature 
of the device according to the present invention, a 
device is adopted for detection of unauthorized use of 
an electronic commerce transaction system wherein the 

20 unauthorized use decision means in the first, second, 
third, fourth or fifth characteristic feature of the 
device according to the present invention comprises 
calculation means that effects the decision as to 
whether or not said access is unauthorized use by 

25 detecting irregularity of state transition of this 
system accompanying the prescribed event issued a 
plurality of times during a single access. 

[0042] According to a seventh characteristic 
feature of the device according to the present 

30 invention, a device is adopted for detection of 
unauthorized use of an electronic commerce transaction 
system wherein the unauthorized use decision means in 
the first, second, third, fourth or fifth 
characteristic feature of the device according to the 

35 present invention comprises calculation means that 
effects the decision as to whether or not said access 
is unauthorized use by detecting irregularity of 
specified data items of the plurality of data items 
presumed to be those of the same user acquired in a 
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plurality of accesses. 

[0043] According to an eighth characteristic 
feature of the device according to the present 
invention, a device is adopted for detection of 
5 unauthorized use of an electronic commerce transaction 
system wherein the specified data items in the seventh 
characteristic feature of the device according to the 
present invention are data comprising information 
relating to the electronic commerce transaction 

10 performed by the user. 

[0044] According to a ninth characteristic feature 
of the device according to the present invention, a 
device is adopted for detection of unauthorized use of 
an electronic commerce transaction system wherein the 

15 prescribed event in the first, second, third, fourth, 
fifth, sixth, seventh or eighth characteristic feature 
of the device according to the present invention is a 
next-screen display request event for requesting 
display of the next screen. 

20 [0045] 

[Embodiments of the invention] Embodiments of the 
present invention are described below with reference to 
the appended drawings in terms of examples of the 
device and examples of the method thereof. It should be 

25 noted that, while, in the following description, in 
order to facilitate comprehension, an Internet system 
using the WWW is given as an example of a client/server 
system, the invention could likewise be applied to a 
user/provider system. 

30 [0046] (Device example) Figure 1 is a block diagram 

showing the principles of the construction of a device 
for detection of unauthorized use of an electronic 
commerce transaction system according to an embodiment 
of the present invention. 

35 [0047] As shown in this Figure, a device a for 

detection of unauthorized use of an electronic commerce 
transaction system according to this embodiment, as a 
precondition, is arranged on a server (not shown) in an 
arbitrary client/server system that performs electronic 
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commerce transactions, and comprises at least: access 
data extraction means 1 that extracts access data 
transmitted from a client (not shown) on commencement 
of access; and data accumulation means 2 that 
5 accumulates access data extracted by this access data 
extraction means 1. It should be noted that the access 
data that is accumulated by the data accumulation means 
2 is in fact stored on access data storage means 3 
comprising for example a hard disk. 

10 [0048] In this device a for detection of 

unauthorized use of an electronic commerce transaction 
system, the aforesaid access data extraction means 1, 
in addition to extraction of the above access data, is 
given the function of extracting a plurality of data 

15 items including information relating to the client and 
information relating to the electronic commerce 
transaction conduct of this client, every time an event 
(next-screen display request event) for example for 
requesting display of the next screen is issued a 

20 plurality of times from the client after commencement 
of access . 

[0049] At the same time, the data accumulation 
means 2, in addition to accumulation of access data in 
the access data storage means 3, is given the function 

25 of incorporating and accumulating the plurality of 
respective data items extracted by the access data 
extraction means 1 in an individual model identified as 
a unit by the individual identifier given to the 
client, and a general model for obtaining average data 

30 of all of the clients that utilize this system. It 
should be noted that the plurality of data items 
accumulated by the data accumulation means 2 are 
respectively stored in individual model storage means 4 
comprising for example a hard disk and general model 

35 storage means 5, for the individual models and the 
general model. 

[0050] In addition, this device a for detection of 
unauthorized use of an electronic commerce transaction 
system comprises: decision criterion supplying means 6 
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that supplies a plurality of data items incorporated in 
the individual model and general model by this data 
accumulation means 2 in individual model storage means 
4 and general model storage means 5 as a decision 
5 criterion for deciding whether or not this access is 
unauthorized use every time new access is executed; and 
unauthorized use decision means 7 that decides whether 
or not this access is unauthorized use by comparing a 
plurality of data items incorporated in the individual 
10 model supplied by this decision criterion supplying 
means 6 with the new plurality of data items extracted 
by the access data extraction means 1 accompanying this 
access, using logical calculation means etc., not 
shown . 

15 [0051] The accumulation of the plurality of data 

items by the data accumulation means 2 may be performed 
by means of time sequence data whereby all of the data 
obtained at the time-point where a single access 
terminated are arranged in order of generation thereof. 

20 [0052] However, since for example in a WWW server, 

no means exists for ascertaining that access has been 
interrupted, the technique may be adopted of, when 
obtaining such time sequence data, at the time-point 
where a prescribed limiting time has elapsed from the 

25 time assumed to be that of the last issuance of an 
event, regarding the events up to the last event in 
question as a series of events included in a single 
access, in order to make the actions of the client 
continuous, for convenience (after lapse of the 

30 prescribed limiting time, these are not regarded as a 
series of events) . 

[0053] Also, while, in the unauthorized use 
decision means 7, the decision as to whether or not 
access represents unauthorized use is made using 

35 ordinary statistical techniques that make use of for 
example calculation means, further, as a special 
technique, irregularity of state transitions of the 
system of question accompanying events issued a 
plurality of times during a single access may be 
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detected, or, alternatively, of a plurality of data 
items assumed to be those of the same client acquired 
during a plurality of accesses, irregularity of 
specified data items comprising information relating to 
5 electronic commerce transactions performed by the 
client may be detected (details to be described later) . 

[0054] (Example of method) Next, an example of a 
method applied to an example of a device constructed as 
described above will be described in terms of its 

10 outline and implementation procedure. 

[0055] [Outline] First of all, in order to capture 
the actions of a client accessing a WWW server in the 
server as a series of actions, the types of data that 
can be recorded by the WWW server are increased by 

15 installation of a CGI (Common Gateway Interface) or 
middleware . 

[0056] Also, by giving the clients individual 
identifiers such as IDs, it is arranged to control 
client functions by means of data sent from the server 

20 to the clients such that, when a shift takes place to a 
page subsequent to the initial screen, information in 
respect of this is automatically transmitted to the 
server, and to accumulate the data apportioned to each 
individual identifier in for example a file or memory 

25 (access data storage means 3) in the server. 

[0057] By means of this data, more information can 
be recorded than is recorded in the case of the 
standard WWW server logs, so that, even in a situation 
where a plurality of persons access the WWW server 

30 substantially at the same time point, the actions of 
specified individuals in the WWW server can be 
extracted . 

[0058] In this connection, what is used for 
identifying regular clients and unauthorized clients is 
35 two types of data groups, namely, the individual models 
and general model described above. An individual model 
is a set of data that, for each individual identifier, 
saves an action history representing the trends and 
behavior of the client performed on the WWW server in 
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question in the past. The general model is a set of 
data expressing the trends and behavior found from all 
of the clients on this WWW server. 

[0059] In either model, both data directly obtained 
5 from individual event recordings and data derived from 
a plurality of event recordings are utilized. The 
plurality of event recordings represent the result of 
aggregating the series of actions recorded for each 
individual identifier after commencement of access of 

10 the WWW server. 

[0060] The individual model and general model 
herein include both data for the performance of 
statistical processing and data expressing state 
transitions. Data for the performance of statistical 

15 processing means data capable of being numerically 
quantified: the differences between the individual 
models or general model expressing the trends or 
behavior obtained by numerical quantification and 
persons having an individual identifier in the current 

20 access are verified using for example testing by a 
statistical technique. In addition, this data includes 
both data obtained from access to the WWW server on a 
single occasion only and data obtained from access to 
the WWW server on more than one occasion. 

25 [0061] Also, in regard to state transition, two 

types of detection method are employed. One of these 
detection methods employs single access state 
transition, in which for example after the action of 
accessing the WWW server at a given time, an attempt to 

30 purchase a product without having perused the catalogue 
is detected and deemed to be unauthorized use. Another 
of these detection methods employs multiple access 
state transitions, in which an unauthorized client is 
detected by comparing past to present state 

35 transitions, in which for example a client, being a 
client whose total value of purchases has continued to 
rise over the past three purchasing occasions, attempts 
to make a purchase involving a sum larger than five 
times the average of the monetary amount of previous 
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purchases . 

[0062] In either case, a rule constituting a 
criterion for regarding a client as an unauthorized 
client is registered beforehand and a client matching 
5 this rule is deemed to be an unauthorized client. 
However, these rules are modified by being cumulatively 
recalculated every time client access increases, so 
they should not have fixed values. 

[0063] [Implementation procedure] First of all, 

10 when commencement of access of the WWW server by a 
client using an individual identifier is detected in 
the access data extraction means 1, the data 
accumulation means 2 commences recording of the access 
data relating to this individual identifier in the 

15 access recording means 3. At this time point, since, as 
the information of the connection source, the client's 
IP address (IP: Internet Protocol) and type of browser 
etc are obtained, these items of information are 
employed as a single item of information for 

20 identifying regular clients and unauthorized clients 
when detecting whether or not access is unauthorized 
use . 

[0064] Next, by sequentially recording the actions 
relating to movement between pages subsequently 

25 performed in the server by the client, i.e. next-screen 
display request events, in the individual model storage 
means 4 and general model storage means 5 by using the 
access data extraction means 1 and data accumulation 
means 2, it is arranged to treat these as time sequence 

30 data from the instant where the client accessed the WWW 
server . 

[0065] In the above state, when new access is 
detected by the access data extraction means 1 and an 
attempt is made to decide whether or not this access is 
35 unauthorized use, the decision criterion supplying 
means 6 reads the corresponding individual model and 
general model stored in the individual model storage 
means 4 and general model storage means 5 and supplies 
these as decision criteria to the unauthorized use 
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decision means 7. 

[0066] This unauthorized use decision means 7 then, 
using (or selectively using) the individual model and 
general model that are supplied thereto, decides 
5 whether or not the access is unauthorized use by 
statistical processing and a comparison with the state 
transition rules, and transfers the result of this 
decision as to unauthorized use to the server processor 
(not shown) . It should be noted that the criteria for 
10 detection of unauthorized use will not be fixed 
criteria, since they will depend on the object of the 
electronic commerce transaction system, the particulars 
of the products handled, and on the WWW page 
organization . 

15 [0067] It should be noted that, as described above, 

the required detection of unauthorized use in an 
electronic commerce transaction system must be 
performed in real time and, furthermore, this detection 
is usually performed using a plurality of data items, 

20 so the analysis of such data imposes a load on the 
server processing. 

[0068] As a countermeasure in this respect, for 
example an order of priority of use in arriving at the 
actual decision is given to the various items of data 

25 of the individual model and general model, and it is 
arranged that these items of data are utilized for 
detection of unauthorized use by using the data that 
are higher in order of priority first. In this way, it 
is possible to reduce the load on the server by 

30 arranging that detection of an unauthorized client can 
be achieved by verification with as few data items as 
possible . 

[0069] Also, it is arranged that, even in the 
condition that a decision regarding whether or not 
35 access constitutes unauthorized use has still to be 
reached, all of the data representing the access 
condition of the client is uniformly saved and 
accumulated as the access history information of the 
client, irrespective of whether or not such access does 
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in fact constitute unauthorized use. It may then be 
arranged, if necessary, for the conditions of client 
access to be reflected in the criteria and state 
transition rules for identifying unauthorized use when 
5 performing statistical processing. 
[0070] 

[Embodiments] Finally, as an embodiment, 
application of an example of the device described above 
and an example of the method to an actual electronic 
10 commerce transaction system will be described. 
[0071] (First embodiment) 

Example of an electronic commerce transaction 
system for performing sale of articles 

In this example, a product catalogue is presented 
15 on a WWW server on the Internet, and a client can 
perform selection and purchase of these products, and, 
if necessary, settlement of accounts. In this case, 
since no financial damage can occur simply as a result 
of perusal of the products, unauthorized use need only 
20 be detected prior to performance of settlement. 

[0072] Consequently, detection of an unauthorized 
client can be performed using the large quantity of 
data collected immediately prior to performance of 
settlement from the time point of commencement of 
25 access of the server by the client: errors in detection 
of unauthorized clients can thereby be reduced. It 
should be noted that such errors in detection may 
include both misidentif ication of access by a regular 
client as access by an unauthorized client or 
30 misidentif ication of access by an unauthorized client 
as access by a regular client. 
[0073] (Second embodiment) 

Example of an electronic commerce transaction 
system that provides information to members 
35 This example consists in an electronic commerce 

transaction system that provides information 
exclusively to clients who have registered beforehand. 
The difference between this example and the example of 
the previous electronic commerce transaction system for 
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performing sale of articles lies in that it is not 
sufficient merely to detect unauthorized use before 
settlement: rather, it is necessary to detect 
unauthorized use, and to exclude this, as early as 
5 possible from the time point at which perusal of the 
information by the client commences. 

[0074] Reasons for this that may be mentioned 
include that, in the case of an electronic commerce 
transaction system of this type, the information that 

10 is provided itself has value, so it is indispensable to 
detect at an early stage unauthorized use, in order to 
minimize the damage due to leakage of information, and 
also that settlement is not performed every time 
information is accessed, so the period allowed for 

15 settlement is long. 

[0075] It should be noted that although, in the 
case of this example, in contrast to the example of an 
electronic commerce transaction system in which sale of 
articles is performed, no exchange of funds based on 

20 sale of articles takes place, so it is necessary to 
identify an unauthorized client solely from the data 
regarding the actions of this client in the WWW server, 
there is no difference at all regarding the basic 
constitution of the device. It is merely that the 

25 decision data and criteria in respect of an 
unauthorized client are different. 

[0076] Hereinabove, an Internet system using the 
WWW was described by way of example of a client/server 
system with reference to a mode of implementation of 

30 the present invention and first and second embodiments 
thereof. However, the present invention can of course 
be applied to any desired type of clients/server system 
or user/provider systems capable of executing 
electronic commerce transactions. Also, the present 

35 invention is not necessarily restricted solely to the 
means and techniques described above and can be 
implemented with suitable modifications within a range 
in which the objects of the present invention are 
achieved and the following beneficial effect obtained. 
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[0077] 

[Beneficial effect of the invention] As described 
above, according to the present invention, a plurality 
of data items of various types issued after 
5 commencement of access of the server by the client are 
acquired, this acquired plurality of data items are 
respectively compared with a plurality of data items 
subsequently obtained after new access, every time such 
new access is executed, and a decision as to whether or 
10 not this new access represents unauthorized use is made 
in accordance with the result of this comparison. 

[0078] It thereby becomes possible to detect 
unauthorized use of the system by an unauthorized user 
or unauthorized client, based on the results of 
15 monitoring the ordinary actions of regular users or 
regular clients, and also becomes possible to obtain a 
grasp of the series of actions performed by the same 
user or same client and, furthermore, it becomes 
possible to detect unauthorized use of the system, 
20 based on the mode of action of typical users or 
clients. As a result, the possibility of financial 
damage to users of an electronic commerce transaction 
system whereby for example sale of articles is 
performed becomes extremely low. 
25 [Brief description of the drawings] 

[Figure 1] This is a block diagram showing the 
constitution of a device for detection of unauthorized 
use according to a mode of implementation of the 
present invention. 
30 [Explanation of the reference symbols] 

a: device for detecting unauthorized use of 
electronic commerce transaction system 
1... access data extraction means 
2... data accumulation means 
35 3 . . . access data 

4 ... individual models 
5... general model 

6... decision criterion supplying means 
7 ... unauthorized use decision means 



[Figure 1] 



a: device for detecting unauthorized use of electronic commerce transaction system 



access data 
extraction means 



if - * < 




